authenticate: rework session ID token handling (#5178)

Currently, the Session proto id_token field is populated with Pomerium
session data during initial login, but with IdP ID token data after an
IdP session refresh.

Instead, store only IdP ID token data in this field.

Update the existing SetRawIDToken method to populate the structured data
fields based on the contents of the raw ID token. Remove the other code
that sets these fields (in the authenticateflow package and in
manager.sessionUnmarshaler).

Add a test for the identity manager, exercising the combined effect of
session claims unmarshaling and SetRawIDToken(), to verify that the
combined behavior is preserved unchanged.

pkg/identity/legacymanager/data_test.go

@@ -1,12 +1,20 @@
 package legacymanager
 
 import (
+	"context"
+	"crypto"
+	"crypto/rand"
+	"crypto/rsa"
 	"encoding/json"
 	"fmt"
 	"testing"
 	"time"
 
+	go_oidc "github.com/coreos/go-oidc/v3/oidc"
+	"github.com/go-jose/go-jose/v3"
+	"github.com/go-jose/go-jose/v3/jwt"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/timestamppb"
 
@@ -63,12 +71,61 @@ func TestSession_UnmarshalJSON(t *testing.T) {
 	}`), &s)
 	assert.NoError(t, err)
 	assert.NotNil(t, s.Session)
-	assert.NotNil(t, s.Session.IdToken)
-	assert.Equal(t, "https://some.issuer.com", s.Session.IdToken.Issuer)
-	assert.Equal(t, "subject", s.Session.IdToken.Subject)
-	assert.Equal(t, timestamppb.New(tm), s.Session.IdToken.ExpiresAt)
-	assert.Equal(t, timestamppb.New(tm), s.Session.IdToken.IssuedAt)
 	assert.Equal(t, map[string]*structpb.ListValue{
 		"some-other-claim": {Values: []*structpb.Value{protoutil.ToStruct("xyz")}},
 	}, s.Claims)
 }
+
+// Simulate the behavior during an oidc.Authenticator Refresh() call:
+// SetRawIDToken() followed by a Claims() unmarshal call.
+func TestSession_RefreshUpdate(t *testing.T) {
+	// Create a valid go_oidc.IDToken. This requires a real signing key.
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	require.NoError(t, err)
+
+	iat := time.Now().Unix()
+	exp := iat + 3600
+	payload := map[string]any{
+		"iss":              "https://issuer.example.com",
+		"aud":              "https://client.example.com",
+		"sub":              "subject",
+		"exp":              exp,
+		"iat":              iat,
+		"some-other-claim": "xyz",
+	}
+	jwtSigner, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.RS256, Key: privateKey}, nil)
+	require.NoError(t, err)
+	rawIDToken, err := jwt.Signed(jwtSigner).Claims(payload).CompactSerialize()
+	require.NoError(t, err)
+
+	keySet := &go_oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{privateKey.Public()}}
+	verifier := go_oidc.NewVerifier("https://issuer.example.com", keySet, &go_oidc.Config{
+		ClientID: "https://client.example.com",
+	})
+
+	// Finally, we can obtain a go_oidc.IDToken.
+	idToken, err := verifier.Verify(context.Background(), rawIDToken)
+	require.NoError(t, err)
+
+	// This is the behavior under test.
+	var s session.Session
+	v := &Session{Session: &s}
+	v.SetRawIDToken(rawIDToken)
+	err = idToken.Claims(v)
+
+	assert.NoError(t, err)
+	assert.NotNil(t, s.IdToken)
+	assert.Equal(t, "https://issuer.example.com", s.IdToken.Issuer)
+	assert.Equal(t, "subject", s.IdToken.Subject)
+	assert.Equal(t, &timestamppb.Timestamp{Seconds: exp}, s.IdToken.ExpiresAt)
+	assert.Equal(t, &timestamppb.Timestamp{Seconds: iat}, s.IdToken.IssuedAt)
+	assert.Equal(t, map[string]*structpb.ListValue{
+		"aud": {
+			Values: []*structpb.Value{structpb.NewStringValue("https://client.example.com")},
+		},
+		"some-other-claim": {
+			Values: []*structpb.Value{structpb.NewStringValue("xyz")},
+		},
+	}, s.Claims)
+	assert.Equal(t, rawIDToken, s.IdToken.Raw)
+}